Trust & Security

Security is the product

How Graneth protects your code, your secrets, and your scan data.

Shadow mode by default

Graneth observes, scores, and reports — it never blocks a merge or writes to your default branch until you promote a policy to enforcement. You earn trust before you grant control.

Security measures

Rate limiting

Per-IP and per-token bucket limiting on every endpoint to absorb abuse and protect upstream APIs.

HMAC-SHA256 webhooks

Inbound GitHub webhooks are verified with constant-time HMAC-SHA256 signatures before any handler runs.

Strict CORS allowlist

Cross-origin requests are restricted to an explicit origin allowlist — no wildcard reflection.

Zod input validation

Every input is parsed against a Zod schema. Malformed payloads are rejected at the edge.

RBAC on MCP tools

Each MCP tool call is authorized against role-based access control before it can read code or post findings.

Prompt-injection guard

Untrusted code and PR text are wrapped and screened so injected instructions can't steer the analyzer.

Encryption at rest

Secrets and tokens are encrypted at rest; API keys are stored hashed and shown only once.

PostgreSQL row-level security

Tenant isolation is enforced in the database with row-level security — not just in app code.

SOC 2 — planned GDPR aligned Least-privilege OAuth scopes No training on your code